First of all, im not a n00b so please dont tell me to read some tutorials and learn basics, because i already know. Im trying to get information from a table from database from a particular web site. There is a simple form(username and pass) which is processed by same index.php on which the form is. I first of all, check cookies then if there is any JS (there is none), no hidden stuff(as far as i know), no SSI, so i next thing i tried logically was SQL injection. I tried some basics first--> 'OR 1=1-- for username and pass, and i got in. Nothing interesting, because i wanted to get the info of everyone from database. Then the stuff became interesting. If i tried 'OR 1=1-- for username and blabla for pass, i get these error: DATABASE ERROR: SELECT id, name, surname, uporabniskoime, skupina, lan FROM ajm_mail_userdata WHERE uporabniskoime=''OR 1=1--' AND geslo='blabla' AND cv_flag =1. So good for me, now i know the database name(ajm_mail_userdata) and all the columns. But whatever technique of SQL injection i tried next to get data from columns(UNION TOP 1.....; UNION ALL; just SELECT,...) it didnt worked. I tryed with all sorts(i could think of) of ' changing with " and -- with # and other things. The problem is i always get the error: DATABASE ERROR......! No ODBC error message, so no information whatsoever. So my questions in this long post are: Why no ODBC error? Is "DATABASE ERROR" telling me something about which system/database is used on that site? Why is UNION,... not working, as it is clear the php page is vulnerable to SQL injection? What cv_flag=1 means (it must be important cuz its joined with the pass query with AND)? And finally, is any1 have any ideas how to break this problem? THANK YOU ALL

Maybe you shouldn't be so arrogant. Maybe you know less than you think you do.

Aside from that, "ODBC" shows that the Microsoft SQL server is being used. Maybe they don't use it? Or maybe they are simply catching a SQL error (from querying with invalid SQL) and displaying that as "Database Error".

Try and work out what the SQL is that you are sticking your own SQL into.